Isn't this essentially a Clickjacking bug? Doesn't the victim have to (1) deliberately have a sensitive document open, (2) be somehow framed by an attacker's malicious IFrame, and then (3) click the "submit feedback" button to report a problem to Google?
All three of those conditions are independently rare. The equivalent conditions are rare in all CJ bugs, which is a reason CJs are sort of a running joke in appsec. This bug isn't a joke (look at the target and the impact), but condition (3) is also way more unlikely than the median CJ report somewhere else.
If I understand the bug correctly --- maybe I don't --- this researcher got what might perhaps be the largest bounty ever paid for a CJ bug.
This seems a bit different than clickjacking to me. In CJ, the victim performs sensitive actions because the UI is obscured. Here the UI is unobscured, and the user performs actions that should be fairly unsensitive.
All three of those conditions are independently rare. The equivalent conditions are rare in all CJ bugs, which is a reason CJs are sort of a running joke in appsec. This bug isn't a joke (look at the target and the impact), but condition (3) is also way more unlikely than the median CJ report somewhere else.
If I understand the bug correctly --- maybe I don't --- this researcher got what might perhaps be the largest bounty ever paid for a CJ bug.